This project aims to create a tool that can fix the smashed UPX headers of malicious ELF binaries, particularly focusing on fixing the zeroed l_info & p_info headers.
The UPX-Fix project provides a tool that can repair the headers of ELF binaries with zeroed UPX headers. This can be particularly useful when analyzing malware samples, as many malicious samples (for example Mozi malware) are intentionally damaged to hinder unpacking.
To use this project, you will need to have Nim lang installed on your system or download precompiled executables. This can be done by following the instructions on the Nim website.
UPX-Fix can be run from the command line interface using its built-in script or by manually executing the compiled binary.
To build and execute the CLI version of UPX-Fix, follow these steps:
- Open your terminal or command prompt.
- Navigate to the directory containing the source code file
upx_fix.nim. - Run the following command to compile the script into an executable binary:
nimble build - Once compiled, you can use the following command to execute UPX-Fix with the
-hflag to display the help menu:./upx_fix -h - To fix a file, simply provide its path as an argument to the
-for--fileflag followed by any additional optional arguments, such as the-for--forceflag to force overwriting of existing files without confirmation. For example:./upx_fix malware_sample - Unpack newly created
malware_sample.fixlike normal upx executable:upx -d malware_sample.fix
The source code file upx_fix.nim contains the implementation of the UPX-Fix tool. It uses the Nim programming language, which provides a clean and readable syntax while offering strong static typing features. The project also relies on third-party libraries such as cligen for command line interface.
The code primarily consists of three main procedures:
getMagicOffset(s: MemFile): int: This procedure searches for the magic number "UPX!" in the memory file and returns its offset from the start of the file. If it cannot find the magic number, it displays an error message and exits without fixing the file.recoverFileSize(s: MemFile): uint32: This procedure attempts to recover the original file size by reading the last 12 bytes of the memory file and interpreting them as a 32-bit unsigned integer. If it successfully recovers the file size, it updates the corresponding structure field in the Pinfo object.fix(fileName: string, force = false): This procedure is responsible for fixing the given file by reading its content, extracting relevant data structures (l_info and p_info), updating their fields based on the recovered file size, and writing the modified memory file back to disk with a new extension (e.g.,.fix).